Google Under Fire for Data-Mining Student Email Messages

As part of a potentially explosive lawsuit making its way through federal court, the giant online-services provider Google has acknowledged scanning the contents of millions of email messages sent and received by student users of the company’s Apps for Education tool suite for schools.

In the suit, the Mountain View, Calif.-based company also faces accusations from plaintiffs that it went further, crossing a “creepy line” by using information gleaned from the scans to build “surreptitious” profiles of Apps for Education users that could be used for such purposes as targeted advertising.

The U.S. District Court for the Northern District of California is currently hearing the complaint, which alleges that the data-mining practices behind Google’s Gmail electronic-messaging service violate federal and state wiretap and privacy laws. Gmail is a key feature of Google Apps for Education, which has 30 million users worldwide and is provided by the company for free to thousands of educational institutions in the United States.

A Google spokeswoman confirmed to Education Week that the company “scans and indexes” the emails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off—even for Apps for Education customers who elect not to receive ads. The company would not say whether those email scans are used to help build profiles of students or other Apps for Education users, but said the results of its data mining are not used to actually target ads to Apps for Education users unless they choose to receive them.

Student-data-privacy experts contend that the latter claim is contradicted by Google’s own court filings in the California suit. They describe the case as highly troubling and likely to further inflame rising national concern that protection of children’s private educational information is too lax.

“This should draw the attention of the U.S. Department of Education, the Federal Trade Commission, and state legislatures,” said Khaliah Barnes, a lawyer with the Electronic Privacy Information Center, or EPIC, a Washington-based advocacy group. “Student privacy is under attack.”

“The landscape of what districts are facing is changing at light speed. We have to come together as educational entities and say to vendors that certain privacy protections are nonnegotiable,” says Lenny Schad, chief technology officer for the Houston
Independent School District.

—David Z Einsel/Houston Independent School District-File

In recent months, a broad cross section of public officials, industry leaders, and advocates has coalesced around the principle that students’ educational data should not be used for commercial purposes.

Regardless of whether the alleged data-mining practices of Google Apps for Education are found to constitute illegal wiretapping, such practices would constitute a direct violation of that principle, advocates say.

The questions swirling around Google Apps for Education also have major implications, observers say, for how the Family Educational Rights and Privacy Act, or FERPA, will be interpreted and enforced in the new era of digital technology and “big data” in schools.

The Education Department’s recently issued guidance on student-data privacy appears to deem the alleged practices of Google Apps for Education as violating FERPA. Some experts, however, argue that the federal law is too antiquated to effectively address the complex privacy concerns raised by such high-tech data mining.

The confusion is contributing to a growing wariness of cloud-based education service providers, such as Google, among some K-12 officials.

The 210,000-student Houston Independent School District, for example, recently declined to adopt the popular Google Apps for Education tool suite as part of its high-profile 1-to-1 computing initiative. Chief Technology Officer Lenny Schad said that decision was due in large part to concerns over how Google would handle student information.

“The landscape of what districts are facing is changing at light speed,” Mr. Schad said. “We have to come together as educational entities and say to vendors that certain privacy protections are non-negotiable, and we won’t do business with you until they are in place.”

Plaintiffs’ Arguments

In California, a total of nine plaintiffs are accusing Google of violating federal and state law. They had hoped to turn the case into a class action and to seek financial compensation for millions of Gmail users, as well as to force better disclosure by Google of its practices.

Student-Privacy Complaints

What’s behind the lawsuit filed against Google?
A group of nine plaintiffs allege that Google violated federal and state wiretap laws by intercepting electronic Gmail messages and data-mining those messages for advertising-related purposes, including the building of “surreptitious user profiles.”

Why does this matter to schools?
Two of the plaintiffs are users of Google Apps for Education, a “cloud productivity” tool suite including Gmail that the company provides for free to thousands of K-12 schools and colleges and universities. Observers and privacy experts say that Google’s
alleged data-mining practices would violate the widely espoused principle of “no commercial use of student data.”

Does Google clearly say it won’t target ads to Apps for Education users?
Yes. But the plaintiffs in the lawsuit, including the Apps for Education users, argue that they never gave consent for their email messages to be “scanned and indexed” in order to build user profiles or for other advertising-related purposes.

Where does the case stand now?
On March 18, 2014, Judge Lucy Koh of the U.S. District Court for the Northern District of California denied the plaintiffs’ motion to turn the suit into a class action that could have encompassed millions of Gmail and Apps for Education users. In September, Judge Koh had denied a motion from Google to dismiss the case, rejecting the company’s contention it clearly had users’ consent for its data-mining practices.

SOURCE: Education Week

But Judge Lucy H. Koh, whose court is based in San Jose, denied the request for class-action status March 18 on the grounds that it would be impossible to determine which email users consented to Google's privacy policies.

While much of the California litigation is focused on consumer Gmail users, two of the plaintiffs—Robert Fread, of the University of Hawaii, and Rafael Carrillo, of the University of the Pacific in Stockton, Calif.—are students who say they were required to use Gmail accounts when their institutions adopted Google Apps for Education.

Their universities are among the thousands of institutions of higher education and K-12 schools to adopt the “cloud productivity” suite in recent years. (Google could not provide a current number of K-12 users in the United States.)

Proponents say Google Apps for Education contains powerful, easy-to-use free tools that allow users to perform a wide variety of basic digital functions, such as sending email and keeping a calendar; maintaining cloud-based storage of their information; and collaborating using word-processing, spreadsheet, and other software applications.

Apps for Education is also the foundation for the increasingly popular Chromebook, an inexpensive laptop computer that is now used by 22 percent of school districts in the United States, according to the company.

“I don’t think there’s another product on the market that provides the same level of power to its users, regardless of price,” said Henry C. Thiele, the assistant superintendent for technology and learning for the 6,800-student Maine Township High School District 207 in Illinois.

Mr. Thiele said his district has used Google Apps for Education since 2008. Officials there have always been aware that the company does “back-end processing” of students’ email messages, he said, but the district’s agreement with Google precludes such data from being used to serve ads to students or staff members.

As long as the company abides by those terms, Mr. Thiele said, “I don’t have any problem with it.”

In an emailed statement provided to Education Week, Bram Bout, the director of Google Apps for Education, said that “ads in Gmail are turned off by default for Google Apps for Education and we have no plans to change that in the future.”

A company spokeswoman also noted that email scanning supports such features as virus protection, spelling checks, and Gmail’s “priority inbox,” and said that there is “no processing of information” stored in Google Drive, Docs, or other applications in the product.

But Mr. Carrillo and Mr. Fread say that doesn’t tell the whole story.

Those plaintiffs in the California lawsuit allege that Google treats Google Apps for Education email users virtually the same as it treats consumer Gmail users. That means not only mining students’ email messages for key words and other information, but also using resulting data—including newly created derivative information, or “metadata”—for “secret user profiling” that could serve as the basis for such activities as delivering targeted ads in Google products other than Apps for Education, such as Google Search, Google+, and YouTube.

The plaintiffs allege that Google has employed such practices since around 2010, when it began using a new technology, known as Content Onebox, that allows the company to intercept and scan emails before they reach their intended recipients, rather than after messages are delivered to users’ inboxes, regardless of whether ads are turned off.

Mr. Fread and Mr. Carrillo say that neither they nor any other users of Google Apps for Education consented to such practices. They are seeking financial damages amounting to $100 per day of each day of violation for every individual who sent or received an email message using Google Apps for Education during a two-year period beginning in May 2011.

While the allegations by the plaintiffs are explosive, it’s the sworn declarations of Google representatives in response to their claims that have truly raised the eyebrows of observers and privacy experts.

Contrary to the company’s earlier public statements, Google representatives acknowledged in a September motion to dismiss the plaintiffs’ request for class certification that the company’s consumer-privacy policy applies to Apps for Education users. Thus, Google argues, it has students’ (and other Apps for Education users’) consent to scan and process their emails.

In November, Kyle C. Wong, a lawyer representing Google, also argued in a formal declaration submitted to the court in opposition to the plaintiffs’ motion for class certification that the company’s data-mining practices are widely known, and that the plaintiffs’ complaints that the scanning and processing of their emails was done secretly are thus invalid. Mr. Wong cited extensive media coverage about Google’s data mining of Gmail consumer users’ messages, as well as the disclosures made by numerous universities to their students about how Google Apps for Education functions.

Mr. Wong’s inclusion of the following reference to the disclosure provided to students at the University of Alaska particularly caught the attention of privacy advocates:

The University of Alaska (“UA”) has a “Google Mail FAQs,” which asks, “I hear that Google reads my email. Is this true?” The answer states, “They do not ‘read’ your email per se. For use in targeted advertising on their other sites, if your email is not encrypted, software (not a person) does scan your email and compile keywords for advertising. For example, if the software looks at 100 emails and identifies the word ‘Doritos’ or ‘camping’ 50 times, they will use that data for advertising on their other sites.”

“The fact that Google put this in their declaration means we take it as true,” said Ms. Barnes of the privacy watchdog group EPIC. Google’s sworn court statements reveal that the company has violated student trust by using students’ education records for profit.”

To illustrate the potential harm of Google’s alleged data-mining practices, Bradley S. Shear, a social-media and digital-privacy lawyer based in Bethesda, Md., posed a hypothetical situation in which a teacher using Google Apps for Education emails a parent with information related to a child’s disability status or mental health.

If the full range of allegations in the California suit is true, Mr. Shear said, the contents of such an email could be used by Google to build a digital-user profile that might follow that student indefinitely.

“Who knows what the hell Google is doing with that information, and who knows what problems it could cause for that child in the future,” he said. “Years ago, it might have been put in a filing cabinet, but it wouldn’t be tagged to the child forever.”

'Major FERPA Violations'

Mr. Shear said he saw “major FERPA violations” in Google’s activities and suggested that the Education Department should investigate the company. The Federal Trade Commission, which is responsible for monitoring deceptive business practices, should also take note, he said.

The Family Educational Rights and Privacy Act was enacted in 1974 to protect the privacy of children’s educational records and to prevent unwarranted disclosure.

Last month, the Education Department issued guidance to schools and districts for how to interpret and apply the law in the new age of cloud-based educational services, massive collection of digital data, and increased outsourcing to ed-tech vendors.

One of the scenarios detailed in the guidance appears to closely describe the alleged data-mining practices of Google Apps for Education:

EXAMPLE 4: A district contracts under the school official exception with a provider for basic productivity applications to help educate students: email, calendaring, web-search, and document-collaboration software. The district sets up the user accounts, using basic enrollment information (name, grade, etc.) from student records. Under FERPA, the provider may not use data about individual student preferences gleaned from scanning student content to target ads to individual students for clothing or toys, because using the data for these purposes was not authorized by the district and does not constitute a legitimate educational interest as specified in the district’s annual notification of FERPA rights.

If a student, parent, or educator complains about a vendor potentially violating FERPA or other federal statutes, the department has the authority to investigate those claims and issue written findings back to the school in question and to the public.

Education Department spokeswoman Dorie Nolt said the department would be concerned if a vendor were using personally identifiable information from students’ educational records to target them with ads, but she would not comment on whether the department believes the alleged data-mining practices of Google Apps for Education violate federal law.

Joel R. Reidenberg, a law professor at Fordham University and the author of a much-discussed recent study of districts’ contracts with cloud-service providers such as Google, says that’s an open question, in part because the 40-year-old FERPA does not adequately define what constitutes an educational record in an era in which a previously unthinkable amount of digital data about students proliferates.

“The data-mining and data-processing activities involved in Google Apps for Education are very problematic for student privacy,” Mr. Reidenberg said. “But the complexity of these arrangements exceeds what FERPA is really capable of addressing.”

Greater Scrutiny Ahead

Some of Mr. Reidenberg’s recent work has been funded by Microsoft, the Redmond, Wash.-based computer and software corporation that has been competing with Google for business and challenging the younger company’s privacy policies and practices for years.

In an interview with Education Week, Cameron Evans, Microsoft’s chief technology officer for education, called on Google to be more transparent.

“If they’re not doing anything wrong, they need to step up and say it and explain to people in unambiguous terms how they capture and use [students’] data,” he said.

Mr. Bout of Google, in his statement to Education Week, said the company is “committed to protecting the privacy and security of our users—and that includes students—to make sure their information is safe, secure, and always available to them.”

Of course, the problem extends far beyond Google, Mr. Evans said. A growing number of companies rely on “freemium” business models in which they provide technology services to schools in exchange for access to an increasingly comprehensive body of information about students—including “ambient” data about where they are located, what devices they are using, with whom they are interacting, and more.

As consumers grow savvier, lawsuits such as the one in California will become more frequent, Mr. Evans predicted, and pressure to modernize state and federal data-privacy laws will grow more intense.

The privacy policy for Microsoft’s Office 365, the company’s competitor product for Google Apps for Education, states “We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.”

That approach was appealing to Houston school officials, said Mr. Schad, the district’s CTO.

When seeking vendors as part of its new PowerUp technology initiative, the Houston district was aware of the “thousands of other districts using Google Apps for Education very successfully,” said Mr. Schad, but ultimately elected to contract with Microsoft. Google’s data-mining practices were a red flag, he said, as was the company’s lack of responsiveness to Houston’s concerns about how student data would be handled.

“Four years ago, data privacy was not on people’s radar screens,” Mr. Schad said. “But this issue has legitimate legs, and big [cloud-based tool suites] like Google Apps for Education are going to be under greater scrutiny.”

Vol. 33, Issue 26, Pages 1, 19, 22-23

Published in Print: March 26, 2014, as Google Under Fire for Data Analysis of Student Emails

Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on edweek.org, you can post comments. If you do not already have a Display Name, please create one here.

Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.